ISO 27001 Documentation: What's required? [+ Checklist]

ISO 27001 Documentation: What's required? [+ Checklist]

Have you ever wondered what documents are required for ISO 27001?

Navigating the complex landscape of ISO 27001 documentation can be daunting.

To help you, I've removed the complexity to provide everything you need to know.

In this article we will cover:

  1. the different documentation types.
  2. We'll then move onto the mandatory documents and recommended documents.
  3. We'll also cover what records you need to keep to maintain compliance to ISO 27001.

By the end, you'll have a clear understanding of what's needed for successful certification, streamlining your path to robust information security.

Ready to master your ISO 27001 documentation?

Keep reading to unlock the full checklist!

Table of Contents

Understanding ISO 27001

Before we delve into the documentation aspect, let's have a quick overview of ISO 27001 itself.

ISO 27001 is an internationally recognized standard for information security management.

It provides a systematic approach to managing and improving information security.

ISO 27001 is not a one-time thing but a process of continuous improvement through key activities, such as:

  • Regular risk assessments
  • Internal audits
  • Management reviews

This process of continuous improvement ensures that information security controls are not only implemented but also effective.

Furthermore, ISO 27001 is flexible and scalable. It allows you to tailor the requirements to their specific needs and risk profile.

ISO 27001 Documentation Explained

Now, let's talk about the documentation side of ISO 27001.

Documentation plays a crucial role in implementing and maintaining an effective information security management system (ISMS).

It serves as the backbone of your organisation's security practices, capturing policies, procedures, and records.

When it comes to ISO 27001 documents, the variety is as diverse as the colours of a rainbow.

A rainbow that acts as the written embodiment of your commitment to information security.


ISO 27001 Document Types

There are different types of ISO 27001 documentation, each performing a specific role in your ISMS.

These include:

| Document Type | Summary | |--------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Policies | Policies are formal documents, approved by top management. Policies express the intentions and direction of the organisation. They provide the rules, the guardrails that employees are expected to follow. | | Processes | Processes illustrate or describe a series of tasks and activities that produce an outcome. | | Procedures | Procedures are a set of instructions for completing a single task or activity within a process. | | Standards | Standards describe the principles, expectations and quality criteria required to deliver an outcome. | | Records | Records represent the output of an activity. They serve as evidence that a policy, process and/or procedure has been performed to the required standard. | | Templates | Templates are pre-defined, pre-formatted documents that ensure consistency and control of documented information. Typically, you would have a template for policies, processes, procedures and standards. You would also have a template for each type of record. |


Each document type serves a very specific purpose on your journey to effective information security.

ISO 27001 Mandatory Documents vs Non-Mandatory

Within the realm of ISO 27001 documentation, there are two distinct categories:

  • Mandatory documents, and
  • Non-mandatory documents.

Mandatory documents are those that the standard requires you to have. These are a must-have to achieve and maintain compliance to the Standard.

As of ISO 27001:2022, there are 24 mandatory documents and records. Examples include:

  • ISMS Scope
  • Information security policy
  • ISO 27001 Statement of Applicability (SOA)

Continue reading for the Ultimate List of ISO 27001 Mandatory Documents.

Non-mandatory documents offer extra guidance that enhance the effectiveness of your ISMS.

While they are not explicitly required by ISO 27001, they are recommended.

These non-mandatory documents address specific areas and help bolster your security posture.

Having a complete set of mandatory and non-mandatory documents ensures your organisation is well-prepared for evolving information security threats.

These documents guide your security practices and serve as a reference for ongoing improvement.

Remember, the strength of your ISMS lies not only in the implementation of security controls but also in the documentation. This document both support and reinforce your security efforts.

So, take the time to develop and maintain your ISO 27001 documents.

Ultimate List of ISO 27001 Mandatory Documents

Section Image

Now, let's unveil the ultimate checklist of ISO 27001 mandatory documents:

| Document name | Summary | ISO 27001 Reference | |------------------------------------------------------- |--------------------------------------------------------------------------------------------------------------------- |--------------------------------------------------------------------------------------- | | ISMS Scope | Outlines the scope of your ISMS. | [Clause 4.3](/blog/iso-27001-clause-4-3) | | Information security objectives | Details the (SMART) objectives that your ISMS is intended to deliver. | [Clause 6.2](/blog/iso-27001-clause-6-2) | | ISO 27001 Statement of Applicability (SoA) | Catalogue of controls you have implemented to manage information security risks. | [Clause 6.1.3](/blog/iso-27001-clause-6-1) | | Information security policy | Outlines your organisation's approach to information security. | [Clause 5.2](/blog/iso-27001-clause-5-2) | | Acceptable use policy | Defines the rules for the approved usage of computing resources. This often includes devices, internet and email. | [Annex A.5.10](/blog/iso-27001-annex-a-5-10) | | Definition of security roles and responsibilities. | Outlines employee roles and responsibilities in relation to security. | [Annex A.6.2](/blog/iso-27001-annex-a-6-2) and [Annex A.6.6](/blog/iso-27001-annex-a-6-6) | | Secure system development policy | Outlines your organisation's approach to building secure systems. | [Annex A.8.27](/blog/iso-27001-annex-a-8-27) | | Incident management procedure | Provides step-by-step instructions on to manage incidents and breaches. | [Annex A.5.26](/blog/iso-27001-annex-a-5-26) | | Security procedures for IT management | These documents provide step-by-step instructions on how to carry out specific security-related tasks. | [Annex A.5.37](/blog/iso-27001-annex-a-5-37) | | Risk assessment process | Describes the tasks and activities required to assess risk. | [Annex 6.1.2](/blog/iso-27001-clause-6-1) | | Risk treatment process | Describes the tasks and activities required to treat risk. | [Clause 6.1.2](/blog/iso-27001-clause-6-1) | | Definition of security configurations | These documents define the configurations required to configure secure IT assets. | [Annex A.8.9](/blog/iso-27001-annex-a-8-9) |

Complete List of ISO 27001 Mandatory Records

Section Image

In addition to the mandatory documents, you also need to maintain certain records.

Here is a handy list of ISO 27001 mandatory records:

| Document name | Summary | ISO 27001 Reference | |--------------------------------------------------- |------------------------------------------------------------------------------------------------------------------------------------------------------ |---------------------------------------------------------------------------------------------------------------------------------- | | Risk Register | Catalogue of the security risks you have identified and are managing. | [Clause 6.1.3](/blog/iso-27001-clause-6-1), [Clause 6.2](/blog/iso-27001-clause-6-2), and [Clause 8.3](/blog/iso-27001-clause-8-3) | | Inventory of assets | Catalogue of IT and non-IT assets in your organisation. | [Control A.5.9](/blog/iso-27001-clause-5-9) | | Legal, Regulatory and Compliance (LRC) Register | Catalogue of your organisations legal, regulatory and compliance obligations. | [Annex A.5.31](/blog/iso-27001-annex-a-5-31) | | Risk treatment plan | Outlines your plans to treat risks. This often includes the risk, treatment plan, owners and timelines. | [Clause 6.1.3](/blog/iso-27001-clause-6-1), [Clause 6.2](/blog/iso-27001-clause-6-2), and [Clause 8.3](/blog/iso-27001-clause-8-3) | | Internal Audit Program | Outlines the structure and approach to ISO 27001 internal audit. | [Clause 9.2](/blog/iso-27001-clause-9-2) | | Risk assessment and risk treatment report | The foundation for your security decisions. This document outlines identified risks and their impact on your organisation. | [Clause 8.2](/blog/iso-27001-clause-8-2) and [Clause 8.3](/blog/iso-27001-clause-8-3) | | Training, skills, experience and qualifications log | Catalogue of the capabilities and competence of your employees, in relation to security. | [Clause 7.2](/blog/iso-27001-clause-7-2) | | Measurement Report | Records that detail the output of your monitoring and measurement activities. | [Clause 9.1](/blog/iso-27001-clause-9-1) | | Results of internal audits | Records that detail the output of your internal audits. These are often formal documents that include scope, approach, findings and recommendations. | [Clause 9.2](/blog/iso-27001-clause-9-2) | | Results of management review | Records that detail the output of your management reviews. These are often meeting minutes and documented approvals. | [Clause 9.3](/blog/iso-27001-clause-9-3) | | Results of corrective action | Records that detail the output of any corrective action you have taken. These can be test results, risk assessments, internal audits. | [Clause 10.2](/blog/iso-27001-clause-10-2) | | Security logs and monitoring results | Records that detail the output any security logging and monitoring. These often include user activities, login data, exceptions and security events. | [Annex A.8.15](/blog/iso-27001-annex-a-8-15) |

Non-mandatory but Recommended ISO 27001 Documents

Section Image

While the mandatory documents are key, non-mandatory documents help enhance your ISMS.

These documents are not required by ISO 27001. But, help address specific areas and help bolster your security posture.

Here are a few non-mandatory documents you may consider implementing:

| Document name | Summary | ISO 27001 Reference | |-------------------------------------------------------- |--------------------------------------------------------------------------------------------------------------------------------------------- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Procedure for Document and Record Control | Defines the procedure for the management and control of documents and records. | [Clause 7.5](/blog/iso-27001-clause-7-5) and [Annex A.5.33](/blog/iso-27001-annex-a-5-33) | | Procedure for Internal Audit | Defines the procedure for performing internal audits. | [Clause 9.2](/blog/iso-27001-clause-9-2) | | Procedure for Corrective Action | Defines the procedure for identifying and addressing non-conformities and approach to preventing recurrence. | [Clause 10.2](/blog/iso-27001-clause-10-2) | | Information Classification Policy | Provides the business rules for effectively classifying information that your organisation is responsible for. | [Annex A.5.10](/blog/iso-27001-annex-a-5-10), [Annex A.5.12](/blog/iso-27001-annex-a-5-12), and [Annex A.5.13](/blog/iso-27001-annex-a-5-13) | | Information Transfer Policy | Outlines the business rules and authorised methods for transfering information in/out of your organisation. | [Annex A.5.14](/blog/iso-27001-annex-a-5-14) | | Access Control Policy | Defines the guardrails for ensuring secure, authorised access to company resources. | [Annex A.5.15](/blog/iso-27001-annex-a-5-15) | | Password Policy | Defines the business rules for secure passwords. | [Annex A.5.16](/blog/iso-27001-annex-a-5-16), [Annex A.5.17](/blog/iso-27001-annex-a-5-17), and [Annex A.8.5](/blog/iso-27001-annex-a-8-5) | | Supplier Security Policy | Outlines the business rules for supplier security and your approach to managing third party risk. | [Annex A.5.19](/blog/iso-27001-annex-a-5-19), [Annex A.5.21](/blog/iso-27001-annex-a-5-21), [Annex A.5.22](/blog/iso-27001-annex-a-5-22), and [Annex A.5.23](/blog/iso-27001-annex-a-5-23) | | Disaster Recovery Plan | Describes the actions the organisation will take to recover for a disaster or an event that impacts business continuity. | [Annex A.5.29](/blog/iso-27001-annex-a-5-29), [Annex A.5.30](/blog/iso-27001-annex-a-5-30), and [Annex A.8.14](/blog/iso-27001-annex-a-8-14) | | Mobile Device, Teleworking, and Work from Home Policy | Describes the business rules for remote working and authorised use of mobile devices. | [Annex A.6.7](/blog/iso-27001-annex-a-6-7), [Annex A.7.8](/blog/iso-27001-annex-a-7-8), [Annex A.7.9](/blog/iso-27001-annex-a-7-9), and [Annex A.8.1](/blog/iso-27001-annex-a-8-1) | | Procedures for Working in Secure Areas | Describes the procedures that staff must follow when working in secure areas. | [Annex A.7.4](/blog/iso-27001-annex-a-7-4) and [Annex A.7.6](/blog/iso-27001-annex-a-7-6) | | Clear Desk and Clear Screen Policy | Outlines your organisations approach to clear screen and clear desks. | [Annex A.7.7](/blog/iso-27001-annex-a-7-7) | | Bring Your Own Device (BYOD) Policy | Defines the rules that employees must follow when using personal devices to access company resources (i.e. BYOD). | [Annex A.7.8](/blog/iso-27001-annex-a-7-8) and [Annex A.8.1](/blog/iso-27001-annex-a-8-1) | | Disposal and Destruction Policy | Outlines your organisations approach to the safe and secure destruction and disposal of assets. | [Annex A.7.10](/blog/iso-27001-annex-a-7-10), [Annex A.7.14](/blog/iso-27001-annex-a-7-14), and [Annex A.8.10](/blog/iso-27001-annex-a-8-10) | | Backup Policy | Describes your approach to backup (and recovery). | [Annex A.8.13](/blog/iso-27001-annex-a-8-13) | | Encryption Policy | Describes your approach to encryption and what methods are supported and/or authorised. This should include approved encryption algorithms. | [Annex A.8.24](/blog/iso-27001-annex-a-8-24) | | Change Management Policy | Outlines your organisations approach to managing change, in particular changes that impact information security. | [Annex A.8.32](/blog/iso-27001-annex-a-8-32) |

5 Steps to Implementing ISO 27001 Documentation

Now that you have a clear understanding of the ISO 27001 documentation landscape, let's explore the steps to effectively implement it.

TL:DR

  • Step #1 - Conduct a gap analysis
  • Step #2 - Develop policies and procedures
  • Step #3 - Document control:
  • Step #4 - Training and awareness
  • Step #5 - Continual improvement

Let's explore each of these steps in more depth.


Step #1 - Conduct a gap analysis

Assess your existing documentation against the requirements of ISO 27001 and identify any gaps.

Step #2 - Develop policies and procedures

Create clear and concise policies and procedures that align with the standard's requirements and your organisation's specific needs.

Step #3 - Document control

Establish processes to control and manage your documents throughout their lifecycle, ensuring version control, accessibility, and appropriate distribution.

Step #4 - Training and awareness

Train your staff on the importance of information security and their role in maintaining it.

Step #5 - Continual improvement

Regularly review and improve your documentation to reflect changes within your organisation and the evolving threat landscape.

Maintaining ISO 27001 Documentation

Maintaining ISO 27001 documentation is essential for the ongoing success of your ISMS. Here are a few key practices:

  • Regular Review. Review your documents to keep them aligned with your organisation's changing needs.
  • Document control. Document any changes to your documents and maintain a robust record of these changes.
  • Awareness and training. Ensure your documentation is accessible and that you communicate updates to keep everyone informed.
  • Monitor and measure. Monitor and measure the effectiveness of your documentation and identify areas for improvement.

Common Challenges with ISO 27001 mandatory documents

ISO 27001 can generate large volumes of information. This presents some common challenges, including:

  • Lack of Awareness. Lack of awareness of key documents and there role in information security.
  • Document Sprawl. Large volumes of information distributed across different systems.
  • Document Control. Difficulties establishing robust controls for managing documented information.
  • Resistance to Change: Resistance to adopting new processes and procedures.

Consequences of missing ISO 27001 mandatory documents

Imagine this. You're in the middle of an ISO 27001 certification audit and the auditor starts pointing out major non-conformities.

Not having the mandatory documents? That's a big one.

These critical gaps can delay your certification by weeks.

Why?

It's not the "act" of creating a document that takes time.

It's the other steps that need to consider to get audit ready.

For example:

  1. Creating the document
  2. Reviewing the document
  3. Management approval
  4. Awareness and training
  5. Evidence gathering
  6. Measuring effectiveness (e.g. internal audits)

This process isn't a minor setback; it can be a major roadblock that can throw off your entire timeline.

Want to avoid this headache? Make sure you have all the required documents from the get-go.

3 Tips for Ensuring Compliance with ISO 27001 Mandatory Documentation Requirements

I have worked with ISO 27001 for over 10 years. I have learned that there are some key things that you can do to ensure compliance with the Standard.

Here are my 3 tips for success:

  1. Prioritise the creation and maintenance of your mandatory documents
  2. Ensure they are comprehensive, up-to-date, and aligned with the standard's requirements
  3. Be prepared to provide evidence. You need to demonstrate that these documents are effectively implemented and followed within your organisation.

FAQs about ISO 27001 Mandatory Documents

Now that we have covered the essentials of ISO 27001 documentation, let's address some common questions:

What are the key mandatory documents for ISO 27001 compliance?

The key mandatory documents include the information security policy, the scope of the ISMS, the Statement of Applicability, the risk treatment plan, and various other documents and records that demonstrate your organisation's commitment to information security.‍

How often should ISO 27001 documents be reviewed?

ISO 27001 documents should be reviewed regularly. Annual reviews are most common, but you may choose to conduct more frequent reviews.

This ensures your documents remain accurate, relevant, and aligned with your business.

You should also consider reviewing relevant documents as part of significant changes.

For example:

  • Remote/hybrid working may change a process or procedure
  • Adopting a new application may change a system of record
  • Migrating to a new platform may change the security landscape
  • Relocating your offices may change

These events can have both a positive and negative impact on information security. It's important that your documented information reflects it.

What are the penalties for non-compliance with ISO 27001?

ISO 27001 itself does not impose legal penalties. Remember, ISO 27001 is a Standard. It is a best practice. It is about developing a systematic approach to managing information security.

But non-compliance with information security best practices can lead to more indirect consequences. For example:

  • Ineffective information security can lead to security incidents and data breaches. Data breaches lead to financial losses, damage to reputation and legal action
  • Non-compliance with regulations that have a security component (e.g. GDPR). This can lead to potential fines and other sanctions.

Can ISO 27001 documentation be digital?

Of course! The use of digital documentation is not only allowed but also recommended. Digital formats offer:

  • Greater flexibility,
  • Ease of distribution, and
  • the ability to track changes and revisions effectively.

How to prepare for an ISO 27001 audit?

To prepare for an ISO 27001 audit, ensure your documentation is complete, up-to-date, and implemented.

Conduct internal audits, address any non-conformities, and have a comprehensive understanding of your organisation's information security management system.

What are the common challenges in ISO 27001 documentation?

Creating and maintaining ISO 27001 documentation can pose challenges. Common challenges include:

  • Clarity and comprehensiveness
  • Lack of awareness
  • Document sprawl
  • Document control
  • Resistance to change

To overcome these challenges:

  • Use clear, concise and simple language
  • Leverage a centralised, easy to use, accessible document management system. This should also include version control and version history.
  • Use templates that include common structure, branding and document control.
  • Engage all relevant stakeholders to help overcome challenges and support change.

Conclusion

Congratulations! You are now well-versed in ISO 27001 documentation requirements.

Remember, ISO 27001 is not about checking boxes. It is about cultivating a culture of information security within your organisation.

By embracing the power of well-crafted and effectively implemented documentation, you can secure your information assets and enhance your overall resilience in the face of ever-evolving cybersecurity threats.

So, go forth.

Arm yourself with the mandatory documents.

Bolster your ISMS with non-mandatory ones.

Embark on your ISO 27001 compliance journey with confidence!

P.S. Whenever you're ready, here are 3 ways I can help you:

  1. Subscribe to GRCMANA and each week you will get more tips, strategies and resources that will help you accelerate your GRC career.
  2. Join the Cyber Resilience Network: Join 16,000+ other members in the largest LinkedIn Community dedicated to building cyber resilience in the cloud.
  3. Follow me on LinkedIn for more tools, strategies and insights on how to govern your clod, secure your cloud and defend your cloud.
About the author
Harry is a technologist and security leader with 20+ years experience in helping organisations govern their cloud, secure their cloud and defend their cloud.